This repository has been archived by the owner on Sep 18, 2021. It is now read-only.
Lack of 302 response in Authentication endpoint will expose users credentials in a shared environment. #3610
Labels
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi,
I have noticed a security issue with the main AuthenticationController.
In the case of a failed login attempt IDS returns a 200 response with the error.
This is a security concern as the user's credentials can then be retrieved using the browsers history on a shared PC.
A misspelled email address would essentially give away a users credentials.
For example with an email address of [email protected], it would be very easy for an attacker to correct the email address and gain access.
In order to mitigate the risk in my implementation, I have had to alter the IDS code to return a redirect (302) to the login page with the error message (in 4 places in the LoginLocal method), and then accept the error message as a parameter of the Login method.
95: public async Task Login(string signin = null, string errorMessage = "")
...
250: return Redirect(PublicOrigin + context.Request.Uri.PathAndQuery + "&errorMessage=" + errorMessage);
251: //return await RenderLoginPage(signInMessage, signin, errorMessage, model.Username, model.RememberMe == true);
Is this something that can be changed in IDS to enhance the security?
Potentially a new RedirectToLoginPage method could be added and replace the calls to RenderLoginPage for the relevant code.
Cheers,
Liam
The text was updated successfully, but these errors were encountered: